Access Control: Make it possible to exclude role grants (grafana#91647)

alexanderzobnin · web-flow · commit 0e5d7633f7c8 · 2024-08-08T14:11:17.000+02:00
diff --git a/pkg/api/accesscontrol.go b/pkg/api/accesscontrol.go
@@ -442,6 +442,8 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			},
 		},
 		Grants: []string{"Editor"},
+		// Don't grant fixed:folders:creator to Admin
+		Exclude: []string{"Admin"},
 	}
 
 	foldersReaderRole := ac.RoleRegistration{
diff --git a/pkg/services/accesscontrol/models.go b/pkg/services/accesscontrol/models.go
@@ -26,8 +26,9 @@ var (
 // RoleRegistration stores a role and its assignments to built-in roles
 // (Viewer, Editor, Admin, Grafana Admin)
 type RoleRegistration struct {
-	Role   RoleDTO
-	Grants []string
+	Role    RoleDTO
+	Grants  []string
+	Exclude []string
 }
 
 // Role is the model for Role in RBAC.

Original file line number	Diff line number	Diff line change
`@@ -442,6 +442,8 @@ func (hs *HTTPServer) declareFixedRoles() error {`
`442`	`442`	`},`
`443`	`443`	`},`
`444`	`444`	`Grants: []string{"Editor"},`
	`445`	`+ // Don't grant fixed:folders:creator to Admin`
	`446`	`+ Exclude: []string{"Admin"},`
`445`	`447`	`}`
`446`	`448`
`447`	`449`	`foldersReaderRole := ac.RoleRegistration{`